npm-token

Create a new authentication token

$ npm token create

$ npm token list

$ npm token revoke [token_id]

$ npm token create --read-only

$ npm token create --publish

$ npm login

$ npm token revoke [token_id]

npm token list
npm token create [--read-only] [--cidr <ip-range>] [--description <text>]
npm token revoke <token-id>

list
    Lists all active authentication tokens associated with the current npm user account. It displays token IDs, creation dates, last access dates, and any associated CIDR restrictions or read-only status.

create
    Generates a new authentication token. This subcommand typically prompts for a one-time password (OTP) if two-factor authentication (2FA) is enabled for the npm account.

--read-only
    (Applicable to create) Creates a token that grants read-only access to the npm registry. This token can install packages but cannot publish new ones.

--cidr
    (Applicable to create) Restricts the newly created token's usage to a specific IP address range (e.g., 192.168.1.0/24). Multiple --cidr options can be provided to specify several allowed ranges.

--description
    (Applicable to create) Assigns a descriptive text to the new token, making it easier to identify its purpose later when listing tokens.

revoke
    Deactivates and deletes a specific authentication token. The token-id is obtained from the output of npm token list. Once revoked, the token can no longer be used for authentication.

The npm token command is a crucial utility within the Node Package Manager (npm) ecosystem for managing authentication tokens. These tokens are used to authenticate with the npm registry, enabling actions such as publishing packages, installing private packages, or accessing scoped packages. The command provides functionalities to list, create, and revoke tokens, offering granular control over access permissions. This is especially important for continuous integration (CI) environments or shared development setups where direct password-based login is less secure or practical. By using tokens, developers can ensure that automated processes or specific machines have the necessary permissions without exposing full user credentials.

Security: Treat npm tokens as sensitive as your password. They grant access to your npm account. Do not expose them in public repositories or insecure environments.
Revocation: Always revoke tokens that are no longer needed or if you suspect they have been compromised.
2FA: If you have two-factor authentication (2FA) enabled for your npm account, creating a new token will require a one-time password (OTP) during the process.
CIDR Restrictions: While helpful, CIDR restrictions are based on the client's public IP address. If the client's IP changes frequently or is behind a proxy, this restriction might cause issues.

npm tokens are typically stored securely in the ~/.npmrc file on your local machine. However, the npm token command manages these on the registry side. When you create a token, it's generated by the registry and then saved to your ~/.npmrc.

For CI/CD workflows, it's best practice to create dedicated read-only tokens or tokens with strict CIDR restrictions. Avoid using your primary login credentials or tokens with full publishing access in automated scripts or publicly accessible build environments.

The concept of authentication tokens for npm gained prominence as Continuous Integration/Continuous Delivery (CI/CD) pipelines became standard practice. Earlier methods often relied on storing usernames and passwords directly, which posed significant security risks. With the introduction of granular authentication tokens, npm provided a more secure and manageable way for automated systems and shared environments to interact with the registry. This feature significantly improved security posture and operational efficiency for npm users.

npm login(1), npm logout(1), npm whoami(1), npm config(1)